Ecommerce businesses are projected to grow by more than 100% yearly, with the total industry value already at $3.53 trillion. With so much money on the line, it’s no wonder eCommerce websites are lucrative targets for cybercriminals.
In this article, we’ll explore how Reblaze secures larger-tier eCommerce sites: the kind of threats that household name platforms such as eBay face, and what Reblaze is doing to mitigate them.
Thwarting Major Attack Vectors
Online retail is a major target for cyberattacks—and those at the “enterprise” scale of operations face a specific cluster of attack patterns. Of course, every business with a web presence must contend with today’s hostile Internet environment. But larger retail sites usually have strong cybersecurity resources at their disposal, so the basic threats are mitigated. The more serious threats are found in the attack patterns below.
Hostile botnets pose a major challenge to all website operators, but distributed denial of service (DDoS) is a particularly lucrative means of extorting major eCommerce platform owners, because their revenue is directly proportional to the traffic that their sites receive. During peak traffic periods, these sites are particularly vulnerable — for example, during Black Friday, DDoS attacks can increase by as much as 70%.
In DDoS extortion, the attacker launches an attack and floods the victim’s network with massive amounts of botnet traffic. The attacker then contacts the victim, and demands that a ransom be paid (usually with a cryptocurrency such as Bitcoin), as the price for halting the assault. Unless and until the ransom is paid, the attack will continue, and the targeted site will experience degraded availability to its customers—if it is available at all.
Retail site owners therefore face a tricky technical challenge: they need to maintain highly-performant websites capable of serving traffic at sufficient scale, while also filtering out malicious traffic being orchestrated by those trying to extort them. For effective DDoS protection, scrubbing has to happen both in real time and at scale.
Credit Card Data Theft
Credit card numbers are valuable commodities on the dark web. If a retail site processes its own payments, then hackers know that many users have probably saved their credit card information in the site’s backend. And card data is a tempting target for theft and subsequent sale.
To steal card data from a site, bots are sent to scan for vulnerabilities. When a vulnerability is found, the hacker breaches the site and steals the data. One successful attack can produce a windfall of cards: thousands, or even tens of thousands of active numbers.
Retail sites are damaged from these attacks in a variety of ways. Financial losses occur when stolen card numbers are used to make fraudulent purchases. Site owners also suffer from loss of reputation after the breach becomes known, they become liable to fines from privacy regulators, and they accrue potential legal liability from the breach and subsequent identity thefts.
Also, site owners can become unwilling accomplices to credit card data theft. Validated card data is worth more on the dark web, so threat actors often use bots to validate stolen numbers; the bots enter the numbers into retail web applications to see if they are accepted or rejected. A similar technique is used to discover new cards: bots cycle through potential numbers and enter them into web applications. This is a crude, but effective, way to steal additional cards that were previously unknown to the attacker.
Preventing Credit Card Data Theft
Preventing malicious credit-card activities is difficult, but a key factor is that these attacks rely on bots.
Not all bot traffic is hostile. For example, online retailers often welcome search engine spiders and shopping engine bots. But eCommerce sites and web applications need to inspect all incoming traffic and identify its source, so that all requests originating from hostile non-human sources is blocked. Reblaze offers sophisticated bot management, allowing site owners to exclude hostile bots from sites, web applications, and APIs.
Reblaze performs its bot mitigation with near-zero latency (~0.5 ms), allowing the protected sites to remain performant to their customers. Incoming traffic passes rapidly through a multi-stage filtering process, including fine-grained ACLs, user/browser environment detection, blacklisting, signature detection, geolocation screening, dynamic rate limiting, anomaly detection, biometric behavioral profiling, and more.
Other Attack Patterns
In addition to the threats described above, cybersecurity teams need to defend against a variety of other attacks as well. These include:
Malicious actors, including rival marketplaces, can configure bots that automatically place in-demand merchandise into carts. This tactic is frequently used to try thwart sales and prevent trending SKUs from gaining traction during the run-up to peak buying periods. Depending on the eCommerce site’s configuration and backend ERP, this can have the same effect on inventory management systems as real orders. This artificially depletes inventory, and causes the product to display to real prospective customers as being out of stock. Clearly, this form of bot attack can cause major losses to business owners.
Advertising fraud involves bots mimicking the behavior of real users by clicking on pay-per-click (PPC) banner and text advertisements overlaid upon an eCommerce marketplace. This has the result of upping advertisers’ PPC spends and degrading their ROI, thereby discouraging them from continuing to run campaigns with that marketplace. Over time, it will also damage the ability of the site to run ads from that network.
False Account Creation and Bot-Bidding
In auction-based marketplaces, bots can be used to artificially drive up bids. To do this, fake bot accounts need to be created. Reblaze inspects not only the technical parameters (such as the user agent and IP address) of new account registrations, but also the behavior of these “users”, comparing their actions to biometric behavioral profiles constructed by Machine Learning from accrued behavioral data of legitimate users. Attempts at automated account creation are flagged and blocked. This creates a vital second line of defense to methods such as reCAPTCHA, ensuring that only legitimate users are allowed to create accounts—not only on auction sites, but on all types of eCommerce sites and web applications.
Credential Stuffing and Account Takeover
Credential stuffing involves malicious bots “stuffing” usernames and passwords into eCommerce sites in order to gain access to accounts. The credentials used are usually obtained from data breaches of other sites, whether obtained directly or purchased on the black market. Once bots gain access, they can attempt to change credentials to lock out their rightful owners. Those operating the accounts can use them to fraudulently buy goods or perform other illicit activities.
Finally, eCommerce websites are liable to have their pricing data and other content scraped by competitors (which then undercut their prices), or by data aggregators which sell it for a variety of purposes—most of which are ultimately harmful to the victimized site.
The Need for a Multifaceted Approach
Large eCommerce websites present a wide variety of opportunities for illicit gain. Thus, they are likely to remain, for the foreseeable future, heavily targeted by cybercriminals.
eCommerce sites face a variety of threats: everything from competing retailers trying to suppress their competitors by orchestrating DDoS attacks around peak purchasing periods, to cybercriminals building networks of compromised or fake accounts with credentials obtained from data breaches.
To protect against these threats, eCommerce site owners need to operate multifaceted protection systems that include a next-generation WAF, DDoS protection, sophisticated bot detection, and behavioral analysis tools.